On 2014-12-15, at 1:18 PM, ianG i...@iang.org wrote:
https://www.kickstarter.com/projects/moonbaseotago/onerng-an-open-source-entropy-generator
Although I’ve got some quibbles with the description, I was more than happy to
back this.
Before I get to those quibbles, I will talk a bit out why I enthusiastically am
backing this project.
I work for a company that makes a consumer-oriented password manager. We need
to generate a number of cryptographic keys, and on OS X and Windows we rely on
the CSPRNGs provided by those
OSes. (We do our own version of HKDF when generating master keys, but still are
using the OSes CSPRNGs).
After BULLRUN, we took a look at all of the crypto that we use with an eye to
whether there was a possibility of it having a backdoor or being deliberately
weakened. The only primitives that we were using were AES and SHA-2, and so
remained confident that neither the algorithms nor the implementations could be
backdoored in a way that could remain undetected. (Because of how we use these,
things like timing attacks and other side-channel attacks are not relevant.)
The exception, of course, is with the system CSPRNGs. It is just hard know that
they are behaving as advertised. Perhaps when I ask for 16 random bytes, I’m
only getting 64 bits of entropy. (Of course the system can’t be too biased
without that being eventually detected).
Anyway, so I love the idea of having something like this. I can combine data
from this sort of device with data from system’s CSPRNGs (possibly using HKDF
or even a simple XOR) and be guaranteed something that is at least as strong as
the strongest of the two. (I might have to look at what kinds of processes
might be able to snoop on data retrieved from the USB device in userland.)
Now some minor quibbles of presentation.
What we do know is that the NSA has corrupted some of the random number
generators in the OpenSSL software we all use to access the internet,
To my knowledge it is only one PRNG, and while “one” can be considered “some”
it is a bit misleading. But more importantly that one never actually got used
on OpenSSL. It turns out that there was an implementation bug that rendered
Dual_EC_DRBG completely unusable in OpenSSL. Because it was such a poor choice
to use anyway, nobody even noticed this until people started to test it after
the BULLRUN disclosures.
As far as anyone knows, it seems like only the users of RSA Inc’s BSafe crypto
library where ever actually subject to the sabotage.
and has paid some large crypto vendors millions of dollars to make their
software less secure.
Again, we have the instance of the deal with RSA Inc to make Dual_EC_DBRG the
default in BSafe. While there may be other such deals that we don’t know
anything about, that is the one in which there is a smoking gun (and bloody
hands, and finger prints). I find it deliciously ironic that many (most?) of
RSA Inc.’s customers are those doing military contracting for the US.
I’m not at all trying to say, “well, it was just that once”. After all, what
we’ve learned from this is what the NSA is willing to do to subvert
cryptographic tools. And we know from BULLRUN about the existence of “working
with our industry partners”, but we are left frustratingly blind as to what
that actually means.
So I fully agree that what the BULLRUN revelations mean is that the government
never actually surrendered at the end of the Crypto Wars. Instead they
pretended to, but went on fighting underground.
Some people say that they also intercept hardware during shipping to install
spyware.
Although I believe that such intercepts and implants do happen, I react badly
to “Some people say …” It’s the kind of phrase that at least in the US is
followed by things “… Obama is plotting to outlaw Christianity”. “Some people
say …” is use all to often to start rumors without ever being accountable.
I would replace “Some people say” in your notice with “There is reason to
believe”. (There is reason to believe.)
Again, I am fully supportive of the goals and the reasons for this project. I
just have quibbles about the text that I have probably gone on about too much.
Cheers,
-j
smime.p7s
Description: S/MIME cryptographic signature
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
